FS#56297 - [kscreenlocker] PLEASE ENTER SUMMARY
Attached to Project:
Arch Linux
Opened by cfr (cfr42) - Saturday, 11 November 2017, 02:58 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 11 November 2017, 08:29 GMT
Opened by cfr (cfr42) - Saturday, 11 November 2017, 02:58 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 11 November 2017, 08:29 GMT
|
Details
Description:
kcheckpass wants access to /var/log/faillog to record failed access attempts, but it cannot open this file as it is 600. journalctl contains repeated lines with errors similar to the following. kcheckpass[6503]: pam_tally(kde:auth): Error opening /var/log/faillog for update kcheckpass[6503]: pam_tally(kde:auth): Error opening /var/log/faillog for read kcheckpass[6503]: pam_tally(kde:setcred): Error opening /var/log/faillog for update kcheckpass[6503]: pam_tally(kde:setcred): Error opening /var/log/faillog for update A solution suggested by an internet search is to set /usr/lib/kcheckpass setuid. https://unix.stackexchange.com/a/302960/219455 I can't find the manual page mentioned in the question https://unix.stackexchange.com/q/302381/219455, so I'm not sure if the executable is supposed to be setuid or not. But I guess that one way or another it should either have access or not be trying to gain access. An related bug report from 2012/3 was closed as fixed for a similar issue, but I couldn't find any details of which fix was implemented, although the discussion does include a list of possible fixes. It isn't clear whether any of them would be relevant to current systems, but the bug is https://bugs.archlinux.org/task/31544. Additional info: * package version(s) kscreenlocker 5.11.3-1 sddm 0.16.0-1 pambase 20171006-1 (which owns /etc/pam.d/system-login which invokes the need for writing to /var/log/faillog, if I've understood correctly) * config and/or log files etc. /etc/pam.d/system-login: #%PAM-1.0 auth required pam_tally.so onerr=succeed file=/var/log/faillog auth required pam_shells.so auth requisite pam_nologin.so auth include system-auth account required pam_access.so account required pam_nologin.so account include system-auth password include system-auth session optional pam_loginuid.so session optional pam_keyinit.so force revoke session include system-auth #session optional pam_motd.so motd=/etc/motd #session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_systemd.so session required pam_env.so Although this is customised, the use of faillog is also in the packaged version: #%PAM-1.0 auth required pam_tally.so onerr=succeed file=/var/log/faillog auth required pam_shells.so auth requisite pam_nologin.so auth include system-auth account required pam_access.so account required pam_nologin.so account include system-auth password include system-auth session optional pam_loginuid.so session optional pam_keyinit.so force revoke session include system-auth session optional pam_motd.so motd=/etc/motd session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_systemd.so session required pam_env.so I just don't have a mail server and can do without messages of the day .... Steps to reproduce: Install required packages, invoke screen locker in some way, log back in and examine the journal. |
This task depends upon
Closed by Antonio Rojas (arojas)
Saturday, 11 November 2017, 08:29 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#50369
Saturday, 11 November 2017, 08:29 GMT
Reason for closing: Duplicate
Additional comments about closing:
Comment by cfr (cfr42) - Saturday,
11 November 2017, 03:03 GMT
There is something very odd going on for me with the bug tracker
tonight. Apologies for not having a box to change 'PLEASE ENTER
SUMMARY' to something more meaningful. (I also had to try three or
four ways of invoking the possibility of reporting a bug at all
before I actually got that option to appear.) If somebody could
change the subject to something like 'kcheckpass wants access to
faillog', it would be greatly appreciated.